AOH :: HP Unsorted V :: BX3775.HTM

Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution



Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution



------=_Part_43397_26840015.1216335258040
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

1. Summary

Product  : Vim -- Vi IMproved
Versions : 5.0--current, possibly older; 4.6 and 3.0 not vulnerable
Impact   : Arbitrary code execution
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-configure.in.html 
http://www.rdancer.org/vulnerablevim-configure.in.patch 

Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution.  Patch provided.


2. Background

``Vim is an almost compatible version of the UNIX editor Vi.  Many new
features have been added: multi-level undo, syntax highlighting, command
line history, on-line help, spell checking, filename completion, block
operations, etc.''
	-- VIM ``README.txt''


3. Vulnerability

During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory.  This code is run when Vim is being
build with Python support:

src/configure.in:

         677         dnl -- we need to examine Python's config/Makefile too
         678         dnl    see what the interpreter is built from
         679         AC_CACHE_VAL(vi_cv_path_python_plibs,
         680         [
         681             tmp_mkf="/tmp/Makefile-conf$$"
  (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf}
         683 __:
         684         @echo "python_MODLIBS='$(MODLIBS)'"
         685         @echo "python_LIBS='$(LIBS)'"
         686         @echo "python_SYSLIBS='$(SYSLIBS)'"
         687         @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
         688 eof
         689             dnl -- delete the lines from make about
Entering/Leaving directory
  (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
         691             rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf'' before it is first written to at (1).  In
the time between (1) and (2), arbitrary commands can be written to the
file.  They will be executed at (2).


3. Test Case

No test case.


4. Patch

Patch fixing this vulnerability can be found at the following URL:

http://www.rdancer.org/vulnerablevim-configure.in.patch 

Please note: The patch fixes ``src/configure.in'', an input file used by
the ``autoconf'' command.  ``autoconf'' uses this input file to create
``src/auto/configure''.  It is necessary to remove the latter, if
present, to force its recreation.  Otherwise, further build runs will
still use it, and the vulnerability will still be present.


5. Copyright

This advisory is Copyright 2008 Jan Minar  

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/ 

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties.  Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


6. History

2008-07-17 Sent to: ,  
,  

------=_Part_43397_26840015.1216335258040
Content-Type: text/x-patch; name=vulnerablevim-configure.in.patch
Content-Transfer-Encoding: base64
X-Attachment-Id: f_firyiv9d0
Content-Disposition: attachment; filename=vulnerablevim-configure.in.patch

LS0tIC0JMjAwOC0wNy0xNyAyMjoyMToxMy41OTk4MDEzNTIgKzAxMDAKKysrIHNyYy9jb25maWd1
cmUuaW4JMjAwOC0wNy0xNyAyMjoyMTowMy4wMDAwMDAwMDAgKzAxMDAKQEAgLTY3OCw4ICs2Nzgs
MTIgQEAKIAlkbmwgICAgc2VlIHdoYXQgdGhlIGludGVycHJldGVyIGlzIGJ1aWx0IGZyb20KIAlB
Q19DQUNIRV9WQUwodmlfY3ZfcGF0aF9weXRob25fcGxpYnMsCiAJWwotCSAgICB0bXBfbWtmPSIv
dG1wL01ha2VmaWxlLWNvbmYkJCIKLQkgICAgY2F0ICR7UFlUSE9OX0NPTkZESVJ9L01ha2VmaWxl
IC0gPDwnZW9mJyA+JHt0bXBfbWtmfQorCSAgICB0bXBfbWtmPSJgbWt0ZW1wYCIKKwkgICAgaWYg
dGVzdCAkPyAtbmUgMCB8fCAhIHRlc3QgLWYgIiR7dG1wX21rZn0iOyB0aGVuCisJICAgIAllY2hv
ICJFcnJvcjogQ2FuJ3QgY3JlYXRlIHRlbXBvcmFyeSBmaWxlLiBBYm9ydGluZy4iCisJICAgIAll
eGl0IDEKKwkgICAgZmkKKwkgICAgY2F0IC0tICIke1BZVEhPTl9DT05GRElSfS9NYWtlZmlsZSIg
LSA8PCdlb2YnID4iJHt0bXBfbWtmfSIKIF9fOgogCUBlY2hvICJweXRob25fTU9ETElCUz0nJChN
T0RMSUJTKSciCiAJQGVjaG8gInB5dGhvbl9MSUJTPSckKExJQlMpJyIKQEAgLTY4Nyw4ICs2OTEs
OCBAQAogCUBlY2hvICJweXRob25fTElOS0ZPUlNIQVJFRD0nJChMSU5LRk9SU0hBUkVEKSciCiBl
b2YKIAkgICAgZG5sIC0tIGRlbGV0ZSB0aGUgbGluZXMgZnJvbSBtYWtlIGFib3V0IEVudGVyaW5n
L0xlYXZpbmcgZGlyZWN0b3J5Ci0JICAgIGV2YWwgImBjZCAke1BZVEhPTl9DT05GRElSfSAmJiBt
YWtlIC1mICR7dG1wX21rZn0gX18gfCBzZWQgJy8gZGlyZWN0b3J5IC9kJ2AiCi0JICAgIHJtIC1m
ICR7dG1wX21rZn0KKwkgICAgZXZhbCAiYGNkICR7UFlUSE9OX0NPTkZESVJ9ICYmIG1ha2UgLWYg
IiR7dG1wX21rZn0iIF9fIHwgc2VkICcvIGRpcmVjdG9yeSAvZCdgIgorCSAgICBybSAtZiAtLSAi
JHt0bXBfbWtmfSIKIAkgICAgaWYgdGVzdCAieCRNQUNPU1giID0gInh5ZXMiICYmICR7dmlfY3Zf
cGF0aF9weXRob259IC1jIFwKIAkJImltcG9ydCBzeXM7IHN5cy5leGl0KCR7dmlfY3ZfdmFyX3B5
dGhvbl92ZXJzaW9ufSA8IDIuMykiOyB0aGVuCiAJICAgICAgdmlfY3ZfcGF0aF9weXRob25fcGxp
YnM9Ii1mcmFtZXdvcmsgUHl0aG9uIgo------=_Part_43397_26840015.1216335258040--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.